By rssfeeds-admin 
Using recent Iranian protests as a phishing lure, the threat actors have deployed an advanced multi-stage malware designed to evade detection through steganography and the abuse of legitimate cloud services.
Stealthy Attack Chain and Cloud Abuse
The attack begins with a malicious Excel macro document disguised as a list of casualties or participants related to recent protests in Tehran.
When a victim opens the file and enables macros, a VBA script secretly decodes embedded C# source code. It compiles it locally using the built-in Windows compiler (csc.exe).
This creates a malicious loader that operates entirely in memory, minimizing its footprint on the infected system.
To maintain persistence, the malware copies legitimate Windows executables and schedules tasks to trigger the malicious payload whenever the host computer starts.
What makes this campaign unique is its reliance on trusted cloud infrastructure to fetch its command-and-control (C2) instructions. Once active, the loader connects to a hardcoded GitHub repository to read an encoded text file.
This file provides a Google Drive link that downloads a seemingly ordinary PNG image. However, OilRig hackers use Least Significant Bit (LSB) steganography to embed encrypted configuration data within the image’s pixels secretly.
By extracting and decrypting this hidden data using a combination of Base64 and XOR methods, the malware retrieves the crucial network addresses needed to download its next-stage attack modules.
Advanced Evasion and Telegram C2
After the loader extracts the hidden configuration from the Google Drive image, it begins fetching highly specialized payload modules.
These modular components are dynamically loaded directly into the system’s memory, allowing the attackers to bypass traditional antivirus scanners that look for malicious files on the hard drive.
The distinct modules handle various malicious activities, including file uploads, theft of sensitive data, direct command execution, and launching other compromised applications.
For its primary command-and-control communication, the malware establishes an encrypted channel using the Telegram Bot API.
The Telegram token and chat ID are obtained from the decrypted steganography configuration.
This allows attackers to send commands and receive stolen data through legitimate Telegram traffic, which blends easily with normal network activity and bypasses most corporate firewalls.
Furthermore, security researchers noted that the source code contains Persian comments and heavily mirrors past OilRig operations, firmly attributing this modernized, cloud-abusing threat to the Iranian APT group.
By shifting to fileless memory execution and exploiting platforms such as Google Drive, GitHub, and Telegram, OilRig continues to demonstrate its ability to adapt and evade modern endpoint security defenses.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Iranian APT OilRig Hides Malware Config Inside Google Drive Image appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.